Security lapses at Apple and Amazon lead to an epic hack. This could be you.

There’s only so much you can do to protect yourself online. You can practice safe computing, not clicking on bogus links in emails or social media; by using strong passwords; by not giving out personal information to strangers.

You can do all these things and still be a digital victim if the processes and practices of the companies with which you do business are lacking.

And judging from the terrifying tale of Mat Honan, the security practices of two of the biggest need a lot of work.

If you use online services, you should read it carefully – particularly if you’re an Apple or Amazon.com customer. It’s long, but well worth your time.

Honan’s first paragraph lays out a summary of what happened:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

Step by step, here’s what happened to him:

• The hackers began by going to Honan’s personal website, which was linked from his Twitter account. Honan’s Gmail address was there, and they used Google’s automated password-recovery setup to get a glimpse at a guessable alternative email address, which happened to be an Apple .me account.

• Next the hackers looked up the information on Honan’s web domain, which yielded his billing address.

• The hackers then called Amazon and said they wanted to add a credit card number to Honan’s account, pretending to be him. Amazon only requires the account holder’s name, billing address and an email address associated with an account to make this change. And you can generate fake credit card numbers with online tools, which the hackers did. The hackers were then able to call back and add a new email address, because they could accurately give out associated credit card information. Once the new email was in place, they requested a password reset, which gave them access to Honan’s account details – including the last four digits of Honan’s credit card.

• Next they called Apple tech support, where you can bypass security questions to access an account by giving out a customer billing address and the last four digits of an associated credit card. They now had control of Honan’s iCloud account, to which his iPhone, iPad and MacBook Pro were linked.

• The hackers used Find My iPhone and Find My Mac to wipe his devices.

• Once the hackers had control of Honan’s iCloud account, they also controlled his .me email address – which was the backup to Gmail. They were then able to enter his Gmail account and send a password reset request to Twitter, which then gave them access to his @mat Twitter feed.

• Oh, and because Honan’s Twitter feed was still linked to Gizmodo’s main Twitter account – even though he’s no longer employed there – they were able to hijack @Gizmodo, too.

In this nasty timeline, you can see how quickly the hack proceeded:

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hackers supplied only two pieces of information that anyone with an internet connection and a phone can discover.

At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.

At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don’t and never will understand, those deletions were just collateral damage. My MacBook data — including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life — weren’t the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.

Clearly, weak processes at Amazon and Apple enabled this disaster, but Honan also lays part of the blame on himself:

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Honan’s been in touch with Apple and Amazon and hopefully this episode will cause both companies to tighten their procedures. He’s also been in touch with one of the hackers, who provided him with the details about how it was done.

Again, read the whole thing. It may cause you to make some changes in the way your own digital life is constructed.